Is managing your release of information requests worth the risk?
As a practice owner or administrator, you don’t need reminding that operating a HIPAA-compliant practice is crucial-and becoming more difficult as the rules and penalties become tighter and more progressive. With “mile markers” from the HITECH act becoming enforceable, this article was written to educate readers by outlining details of exactly how to determine if breach notification is necessary and examining a major change to the Covered Entity (CE) and Business Associate (BA) relationship HIPAA Compliance Service. The content also provides tried and true best practices and ways to mitigate the risk and liability introduced by the new regulations. Much like using an accountant for your income tax filing, using a reputable BA for outsourced services may provide protection, peace of mind and potential savings.
Focusing on changes to the day-to-day office workflow.
The effects of the changes rolled out in the HITECH Act are widespread and will impact many (if not all) facets of HIPAA compliance. This article places the laser-focus on how the changes will affect the covered entity in their day-to-day office activities that involve sensitive information as opposed to ill-intent or malicious breaches.
To notify or not? The tale of two Mr. Smiths.
To really understand these changes, it is easiest to think about a real-world scenario. We will look at three examples of wrongful disclosure of information, and determine if they are a breach for which you must follow the notification protocols.
Example 1: John Smith, Sr., was born in 1947 and his son, John Smith, Jr., was born in 1974. The father, Mr. Smith Sr., requested a copy of his medical record be mailed to himself. When the records arrived, they were that of his son John Smith, Jr. He immediately called your practice because he is still in need of his information. You must then determine is this a breach for which notification action is required:
• Question One: Was the protected health information secure? In this situation, the answer is, “No.” By HIPAA definition, secure means encrypted or destroyed. These files were loose paper records in a mailing envelope.
• Question Two: Do any of the exclusions apply? (See Appendix A.) No, none of the exclusions apply.
• Question Three: Is there significant risk of financial, reputational, or other harm to the individual that was wrongfully disclosed? In this example, one would hope the answer is, “NO”! (After all, it is his son.) However, as we know an estranged relationship or sensitive information in the file, could be a problem. With verbal confirmation and a documented historical trail, you could confirm with Mr. Smith, Sr., to please either hand over the record to his son or appropriately destroy them. (Note – Mr. Smith Sr. may be unaware of the risk he poses for his son if he simply throws the record in the trash, or even worse, leaves them in his curbside recycle bin. It is crucial to define a script and policy for exactly what your staff should say to Mr. Smith, Sr., to ensure no further disclosure of the information.)
Therefore, it could be determined that this is not a breach and you would not be required to follow the notification protocol. However, you must document what happened and why/how you have determined it is not a breach. It would also certainly be a good PR/Customer Service move to contact Mr. Smith, Jr. and assure him of your protocols to protect his information, because it is highly likely that his father will alert him to this mistake.